|
The person who proudly held the mantle of “mean security person who always says ‘no’” left and now I have to be that person instead and I hate it. Don’t work in cyber security if you want to be friends with anyone else outside of security team is what I’m saying.
|
#
?
Aug 16, 2023 20:50
|
|
|
|
| # ? May 24, 2024 08:09 |
|
|
SlowBloke posted:https://learn.microsoft.com/en-us/purview/communication-compliance Finally we have a metric to show that ITsec is doing their work!
|
|
#
?
Aug 16, 2023 20:52
|
|
|
Just pivot to red teaming, you get to break stuff and you aren't the one that has to fix it. Best part is next year's pentest where they haven't fixed anything because they "accepted the risk" and you just stroll your way to DA the same way you did last time. (This is fun the first time but gets really old the third or fourth time actually) Reporting really sucks tho
|
|
#
?
Aug 16, 2023 20:56
|
|
|
FungiCap posted:The person who proudly held the mantle of “mean security person who always says ‘no’” left and now I have to be that person instead and I hate it. Easiest way to dispel that is just suggest alternatives or make them own the risks. Don't say "No", say "Well, why dont you do it this way." Give them outs or enough rope to hang themselves
|
|
#
?
Aug 16, 2023 21:28
|
|
|
Yeah, you can get a lot of mileage out of "Why do you need this?" followed up with a "Let's try it this way instead" But you still get Sickening posted:Apparently HR reached out to me today because another employee cursed my name so many times in the previous days that they set off teams communication policies that sent alerts to HR. They tripped the "physical violence" filters. My sin? Created azure security policies (now called initiatives) that created guardrails like "can't create a public accessible storage account in x subscriptions". I was also shocked to find that the storage account they wanted to create as public was because networking is too hard and not because it was actually required. Sucks to suck I guess. people like the subject of this post and there's not a lot you can do about it.
|
|
#
?
Aug 16, 2023 21:33
|
|
|
Yup, won't always be a win, but you'll be viewed by most as someone willing to listen and align with the teams.
|
|
#
?
Aug 16, 2023 21:56
|
|
|
spankmeister posted:Best part is next year's pentest where they haven't fixed anything because they "accepted the risk" and you just stroll your way to DA the same way you did last time. (This is fun the first time but gets really old the third or fourth time actually) everybody should red team for a while but boy howdy i would not want to do that in perpetuity. there are of course some orgs that could keep it interesting over time, but they're few and far between
|
|
#
?
Aug 16, 2023 22:05
|
|
|
It's fun but like many infosec roles its good to transition out of after a while yeah
|
|
#
?
Aug 16, 2023 22:15
|
|
|
Sickening posted:Apparently HR reached out to me today because another employee cursed my name so many times in the previous days that they set off teams communication policies that sent alerts to HR. Do you get a pin, or a badge to sew onto your jacket? “I make you this mad at me so that our (customers’) lawyers don’t get that mad at you.”
|
|
#
?
Aug 17, 2023 14:36
|
|
|
bolind posted:Or 75 eurobux: https://www.digitalkey.it/en/sensor-readers-rfid/144-proxmark3-v3-easy-512m-kit-nfc-rfid-5-tag-di-test-793596617942.html Quite some time back I asked about RFID cloning tools and the Proxmark3 v3 came up. I finally decided to pull the trigger, and lo and behold it's sold out and appears to be discontinued. What's the recommendation these days? Budget is around USD100.
|
|
#
?
Aug 18, 2023 08:42
|
|
|
The Fool posted:people like the subject of this post and there's not a lot you can do about it. Sickening posted:Apparently HR reached out to me today because another employee cursed my name so many times in the previous days that they set off teams communication policies that sent alerts to HR. They tripped the "physical violence" filters.
|
|
#
?
Aug 18, 2023 14:21
|
|
|
bolind posted:Quite some time back I asked about RFID cloning tools and the Proxmark3 v3 came up. I finally decided to pull the trigger, and lo and behold it's sold out and appears to be discontinued. go to aliexpress and buy a clone.
|
|
#
?
Aug 18, 2023 15:39
|
|
|
MustardFacial posted:I applied for Cybersec Analyst position and got it (been a sysadmin for years and always security-first, but never actually done an infosec job). I was hyped for it from the beginning but then when my future manager called me to tell me that I got it and what to expect he mentioned that I'd be enrolled in a couple SANS courses, some SEIM training, I'd have to get my CISSP at some point, what my colleagues specialize in and mentioned that one of them has a SANS Challenge Coin.
|
|
#
?
Aug 18, 2023 19:59
|
|
|
Sickening posted:I also sat in an executive security leadership meeting where I was told the company needs to create a culture of security. Nobody could define what that meant, but everyone agreed we needed it. There was also mixed signals about wanting security training to be a happy thing while also punishing people who fail phishing simulations, so lets just say execs are still dumb sociopaths who don't understand human emotions. Phishing simulations seriously need to die in a fire. They don’t help security awareness while also being ethically questionable.
|
|
#
?
Aug 20, 2023 06:53
|
|
|
HellaSecure posted:Phishing simulations seriously need to die in a fire. They don’t help security awareness while also being ethically questionable. We've done phishing campaigns in the past and I've always tried to keep the content generic and never 'gotcha' people. And then follow that up with a whole bunch of positive reinforcement on what the campaign was trying to achieve. I'd say it's been worthwhile. Now though I've got a meeting booked in with some clients about a joint campaign and the entire tone from the setup so far has been about how we can make these stupid idiots click on just about anything. This is going to be a hell of meeting as I try to explain why treating your staff as if they're destructive five year olds might not be the best long term strategy. Or why the tone of suggesting "company pay rise" or "extra holiday" only to say "Not Really, Suckers, and also you're stupid and here's some mandatory remedial training" might not go over as well as you think it will. I don't think the problem is phishing simulations, I think it's 'leaders' with zero empathy.
|
|
#
?
Aug 20, 2023 08:28
|
|
|
I'm in a weird place as far as relationships with Security go. The product owner for Security Governance gave me PowerShell code to disable the bad kind of TeamViewer that can dial in whenever a vendor wants to touch one of our lab systems. They won't unblock downloads.teamviewer.com, but we can support it in labs where it's part of the support contract for a $BIGBUCKS instrument. The firewall people will deep dive in Splunk to help us diagnose weird network issues, screensharing Splunk sessions live while they're working on it. I have easy catalogue items to update firewall rules or exclude an external host from SSL MITM fuckery with certificates. The people who manage our antivirus solutions will spend hours with us watching the consoles live while we're trying to keep fireeye from breaking janky vendor software. These people are in Europe and about 9 time zones ahead of us, but they'll go live with West Coast US people. I talked them in to creating a Lab Systems exceptions group, and on top of that gave them a list of AD OUs that only contained lab machines to automatically add our stuff to the group with the exceptions. They open tickets with the vendor when AV goes wild on the stuff I support. I send these people internal recognition awards a few times a year. I expected all of these groups to default to "no". They don't, they want the work to get done, and they sincerely believe that they're here to add a layer of safety to the science. I'm blessed and I know it.
|
|
#
?
Aug 20, 2023 10:03
|
|
|
Major Ryan posted:We've done phishing campaigns in the past and I've always tried to keep the content generic and never 'gotcha' people. And then follow that up with a whole bunch of positive reinforcement on what the campaign was trying to achieve. I'd say it's been worthwhile. Yeah, this is very true. The main issue with phishing campaigns is the same as "awareness" campaigns: they're just an easy way to do something that you can measure and check off the box about security for the year. If you actually manage to follow up with talking about why it's important and don't punish or shame people, it might have some (still small probably) effect, but often it's either just execute and report or execute, identify those that got got and punish. Also if you reduced local admin rights, implemented separation of duties and MFA, that would do a lot more to protect against phishing.
|
|
#
?
Aug 20, 2023 10:16
|
|
|
The thing about phishing campaigns is that they require you to make a ton of exceptions so all their emails are delivered, meaning stuff that is pretending to come from your domain gets straight through into people's inboxes, and the "check it's not from an external source" thing that people have drilled into them no longer applies. Dinging someone for clicking a link in an email talking about them getting paid a bonus using language used within the organisation that the mail client is showing as a legit internal message is pointless.
|
|
#
?
Aug 20, 2023 10:48
|
|
|
A few years back the security team at my place did an Obamacare market place lookalike thing and caused people to report legitimate emails as phishing attempts and inadvertently made a lot of people miss open enrollment.
|
|
#
?
Aug 20, 2023 13:08
|
|
|
Thanks Ants posted:Dinging someone for clicking a link in an email talking about them getting paid a bonus using language used within the organisation that the mail client is showing as a legit internal message is pointless. This is one of the only ones that ever got me  Now I just submit every email from my boss that's just something like 'hey go do this pls <link>' to our phishing team and ignore it until he follows up in person a week later.Fozzy The Bear posted:https://securityonline.info/cve-2023-40477-winrar-code-execution-vulnerability/ SpartanIvy posted:drat, I was just about to buy a license too....
|
|
#
?
Aug 20, 2023 13:30
|
|
|
My first week at my current job, I got a phishing test that had me scratching my head for a few minutes over how something so obviously fake got through our spam filters, then inspired me to create an Outlook rule that send anything with knowbe4 in the headers directly to its own special folder.
|
|
#
?
Aug 20, 2023 16:56
|
|
|
our phishing awareness training once included references to phishing attacks pretending to raise money for Ukraine and created a shitstorm of accusations that we were promoting Russian propaganda. nevermind that charity scams were traced to Russian APT groups 
|
|
#
?
Aug 20, 2023 16:56
|
|
|
ponzicar posted:My first week at my current job, I got a phishing test that had me scratching my head for a few minutes over how something so obviously fake got through our spam filters, then inspired me to create an Outlook rule that send anything with knowbe4 in the headers directly to its own special folder. I did something similarly but it forwards the email to the infosec person in charge of the phish training with 
|
|
#
?
Aug 20, 2023 17:22
|
|
|
ponzicar posted:My first week at my current job, I got a phishing test that had me scratching my head for a few minutes over how something so obviously fake got through our spam filters, then inspired me to create an Outlook rule that send anything with knowbe4 in the headers directly to its own special folder. I wonder if I could set up a rule that automatically forwards anything from our security vendor's phishing test address directly to IT and then deletes it.
|
|
#
?
Aug 20, 2023 18:52
|
|
|
Cup Runneth Over posted:I wonder if I could set up a rule that automatically forwards anything from our security vendor's phishing test address directly to IT and then deletes it. Yeah many of them use a header eg "If message header includes X-PHISHTEST then move to Phishing folder"
|
|
#
?
Aug 20, 2023 19:02
|
|
|
mllaneza posted:I'm in a weird place as far as relationships with Security go. cr0y posted:A few years back the security team at my place did an Obamacare market place lookalike thing and caused people to report legitimate emails as phishing attempts and inadvertently made a lot of people miss open enrollment.
|
|
#
?
Aug 21, 2023 09:35
|
|
|
I’ve spent the past 15 years as an IC/PM and now I’m responsible for hiring two Jr. Security Engineers. I have no idea what I’m doing and have vague goals like “improve security” and “automate” for my future team. Do y’all have any advice on what to look for in a candidate? Or how to build a team? Or manage a team? I’m so loving lost and in over my head.
|
|
#
?
Aug 21, 2023 16:51
|
|
|
Well, first step is to take a deep breath. Managing people isn’t something you’re just going to figure out day 1. When you’re hiring, try to find people who you think will make average to good decisions without your input. This will cut down on having to get into the weeds with them. Since they’re juniors you’re going to have to either way, but less is better. Folks who value autonomy are usually the better folks to have around anyways. Once you’ve hired some people, take another deep breath and just treat them like humans. Make sure you have a sane work intake/project management system. Read some books like this one: https://www.amazon.com/Managers-Pat...41-fda6b2cb1e77 but mostly just treat people like humans. Respond to what they need in ways that your organization has enabled you too. If they need more, ask your boss. But seriously though baseline good management is just being a human and treating humans like humans. You’ll learn the rest as you go on.
|
|
|
#
?
Aug 21, 2023 18:25
|
|
|
First Break All The Rules is a quick read that can help you get rolling by focusing on creating an environment where people can do their best work. When you interview someone, especially juniors, they’re typically strong in one area but weak in others. Identify those strengths as best you can and try to build a team with different strengths that complement each other. Basically: don’t build a team of nine shortstops. Also figure out what you want to teach and what you don’t want to teach. For example I can teach hard skills but don’t have the EQ to coach assholes even if they’re brilliant, so I bias hires toward people with natural communication skills and a desire to learn rather than raw technical horsepower. Also you will gently caress up. Be transparent when you do and share more information about the job and the company than you think you should. The good hires will appreciate it. Oh and try to hire people better/smarter than you. It makes your life much easier and clears you for upper management if that’s what you want because it shows you can identify talent and hire without making yourself irreplaceable at your current level.
|
|
#
?
Aug 21, 2023 18:54
|
|
|
Be sure that the guys understand that you can't solve everything with automation, you gotta think a bit too. And also make sure they can talk to people, even in kinda hostile situations. You don't want introvert nerds who will break to any stupid demand unless you have someone to take all the battles for them. I dunno, try lightly teasing the candidates about their education or something and see if they fight back or just agree with your dumb opinions. But they also gotta be flexible, so don't get too arrogant young white men.
|
|
#
?
Aug 21, 2023 18:57
|
|
|
BonHair posted:Be sure that the guys understand that you can't solve everything with automation, you gotta think a bit too. And also make sure they can talk to people, even in kinda hostile situations. You don't want introvert nerds who will break to any stupid demand unless you have someone to take all the battles for them. I dunno, try lightly teasing the candidates about their education or something and see if they fight back or just agree with your dumb opinions. But they also gotta be flexible, so don't get too arrogant young white men.  When did this kind of posting become okay?
|
|
#
?
Aug 21, 2023 19:00
|
|
|
BonHair posted:Be sure that the guys understand that you can't solve everything with automation, you gotta think a bit too. And also make sure they can talk to people, even in kinda hostile situations. You don't want introvert nerds who will break to any stupid demand unless you have someone to take all the battles for them. I dunno, try lightly teasing the candidates about their education or something and see if they fight back or just agree with your dumb opinions. But they also gotta be flexible, so don't get too arrogant young white men. The. What? E: ok now that my brain has had some time to simmer down from that, here's some actual content: When you lead a team, they work for you, they're your people. Your job is to make them the best they can be, and to shield them from the inevitable bullshit that comes from (upper) management. If you take care of your people, they will take care of you.
|
|
#
?
Aug 21, 2023 19:02
|
|
|
Okay, I made a bad post I guess, but can someone make me a better person by explaining why? My point was that security involves doing something that will inconvenience other people, so if you're looking for candidates for a small team, it seems like a good skill to look for is ability to deal with conflicts.
|
|
#
?
Aug 21, 2023 19:16
|
|
|
BonHair posted:Okay, I made a bad post I guess, but can someone make me a better person by explaining why? Junior people shouldn't be resolving conflicts, they should be identifying them and helping people initiate a process. They don't have the authority to make an an exception and they don't have the standing to force compliance, so asking them to resolve anything is waste of time and talent. The expectation should be that they provide people with information about security policy, identified vulnerabilities, exception policies, etc, and gather job experience while keeping the simple stuff off the desks of senior engineers and management.
|
|
#
?
Aug 21, 2023 19:30
|
|
|
BonHair posted:Okay, I made a bad post I guess, but can someone make me a better person by explaining why? I do t buy this level of obliviousness.
|
|
#
?
Aug 21, 2023 19:36
|
|
Well Played Mauer posted:
Really good advice. Also get ready to feel dirty when you can’t be transparent
|
|
|
#
?
Aug 21, 2023 19:48
|
|
|
BonHair posted:I dunno, try lightly teasing the candidates about their education or something and see if they fight back or just agree with your dumb opinions. or maybe don't do this
|
|
#
?
Aug 21, 2023 20:16
|
|
|
BonHair posted:Be sure that the guys understand that you can't solve everything with automation, you gotta think a bit too. And also make sure they can talk to people, even in kinda hostile situations. You don't want introvert nerds who will break to any stupid demand unless you have someone to take all the battles for them. I dunno, try lightly teasing the candidates about their education or something and see if they fight back or just agree with your dumb opinions. But they also gotta be flexible, so don't get too arrogant young white men. Amazing troll, I gotta say. “Use the extremely unbalanced power dynamic of an interview to make the candidate guess how you expect them to respond to a meta-stimulus of mocking.”
|
|
#
?
Aug 21, 2023 20:18
|
|
|
Hire people to do poo poo you dont want to do. Dont want to manage a siem? hire dudes who have siem experience. Dont want to do code analysis? Hire someone with that. Edit: when my team expanded we made a matrix of all of our reaponsibilies and marked which ones we'd rather someone else do. Worked out. Defenestrategy fucked around with this message at 20:21 on Aug 21, 2023 |
|
#
?
Aug 21, 2023 20:18
|
|
|
|
| # ? May 24, 2024 08:09 |
|
|
Zorak of Michigan posted:Junior people shouldn't be resolving conflicts, they should be identifying them and helping people initiate a process. They don't have the authority to make an an exception and they don't have the standing to force compliance, so asking them to resolve anything is waste of time and talent. The expectation should be that they provide people with information about security policy, identified vulnerabilities, exception policies, etc, and gather job experience while keeping the simple stuff off the desks of senior engineers and management. On the flip side, lovely people in the org love to go directly to the most junior person they can find with the permissions needed to do the wildly dumb thing they want. I've worked with total doormats who would just get harangued until they folded, time and time again, even after coaching and being told 'if this person ever talks to you again, you get me RIGHT AWAY, understand?'. I have no idea how the hell you'd figure out how likely someone is to fold like that in an interview without being a shithead though.
|
|
#
?
Aug 21, 2023 20:27
|
|
